On 05/22/2017 12:56 PM, Colm MacCárthaigh wrote: > > > On Mon, May 22, 2017 at 10:46 AM, Christian Huitema > <huit...@huitema.net <mailto:huit...@huitema.net>> wrote > > Check DKG's analysis of 0-RTT for DNS over TLS: > https://www.ietf.org/mail-archive/web/dns-privacy/current/msg01276.html > > <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mail-2Darchive_web_dns-2Dprivacy_current_msg01276.html&d=DwMFaQ&c=96ZbZZcaMF4w0F4jpN6LZg&r=sssDLkeEEBWNIXmTsdpw8TZ3tAJx-Job4p1unc7rOhM&m=GpV0HuEr8VOZYeOaFgKwdKskI0x-DDWOnnYVY71gWo0&s=sIac6VMHVpaHv3FPdo-jIsOTEbAh8WPU01BhfV8CRcw&e=>. > There is only one point of concern, a minor privacy leak if the > DNS queries in the 0-RTT data can be replayed at intervals chosen > by the attacker. The idea is to replay the data to a resolver, and > then observe the queries going out to authoritative servers in > clear text. The correlation can be used to find out what domain > the client was attempting to resolve. The attack requires "chosen > time" by the attacker, and thus will probably be mitigated by a > caching system that prevents replays after a short interval. > > > > I have a reply to that too, linked at the bottom: there's actually a > more trivial side-channel (due to non-idempotence) that hadn't been > considered in the original analysis. >
Sorry for being daft, but a direct link to this additional side-channel would be helpful. -Ben
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
